🚀 DevSecOps CI/CD Journey: Jenkins, Docker, Trivy & SonarQube

Documenting my hands-on experience building secure and automated CI/CD pipelines with real-world problem-solving.

🛠️ What I Built

  • Custom Jenkins pipeline running in Docker
  • Automated Docker builds of my personal portfolio site
  • Integrated security scanning with Trivy (vulnerabilities)
  • Integrated code quality analysis with SonarQube
  • Pushes images safely to Docker Hub

📌 Key Challenges & How I Solved Them

  1. Jenkins container couldn’t access the internet

    Solution: Adjusted Docker daemon network configuration and verified connectivity using nslookup google.com inside the container.

  2. Jenkins couldn’t run Docker commands inside the container

    Solution: Mounted /var/run/docker.sock and added the Jenkins user to the Docker group. Commands like docker ps worked inside Jenkins.

  3. CI pipeline failed at Docker login/push

    Solution: Configured Jenkins credentials using withCredentials block for secure login and push to Docker Hub.

  4. Integrating Security & Code Quality Scans

    Trivy stage for Docker image scanning:
    docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --exit-code 1 --severity CRITICAL $IMAGE_NAME
    SonarQube stage for static code analysis:
    sonar-scanner -Dsonar.projectKey=iportfolio-sites -Dsonar.sources=. -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_AUTH_TOKEN

📖 Key Learnings

  • Understanding Docker-in-Docker issues
  • Managing user permissions and group IDs for secure CI pipelines
  • Writing robust Jenkins pipelines with multi-stage CI/CD
  • Integrating DevSecOps best practices into personal projects
  • Handling real-world problems in containerized environments

💡 Useful Commands I Learned

docker exec -it jenkins bash           # Enter Jenkins container
docker build -t my-image:latest .      # Build Docker image
docker run --rm busybox nslookup google.com  # Test network inside container
docker volume rm jenkins_home          # Remove old Jenkins data

🎯 Outcome

  • Fully functional CI/CD pipeline with Docker, Trivy, SonarQube, Jenkins
  • Securely building and pushing portfolio image to Docker Hub
  • Reproducible setup ready to scale for other projects

🔗 My GitHub & Docker Hub

💬 Final Note

This journey reinforced the importance of practical problem-solving in DevOps. From debugging Docker networking to securing Jenkins pipelines, hands-on experience was invaluable.

#DevOps #DevSecOps #Jenkins #Docker #CI_CD #Trivy #SonarQube #DockerHub #LearningJourney